The present invention relates to information security technology, more specifically, to an abnormality detection mechanism for effectively detecting abnormality which occurs in a control system and for isolating the control system in which abnormality is observed.
The modern society works out on various kinds of infrastructures including electrical services, gas services, water services, train services, financing, plants, pipe lines and the like. In recent years, in order to realize a stylish office, a stylish building, a stylish city, and stylish energy use, interconnection between industrial control systems via a network and collaboration with information systems are developed in the above important infrastructures in the society.
On the other hand, industrial control systems have been designed assuming the operation in a closed system isolated from the outside conventionally, because the stop of the function thereof might have a large influence on the social economy. Therefore, security measures in the industrial control systems are not necessarily perfect in comparison with those in the information systems, and there has been a problem that the industrial control systems are easy to be affected by threats such as a virus, a worm, Trojan horse, other malicious codes, hacking, an unauthorized break-in, attacks by an insider, abnormal operation, and divulging of information in an open environment connected to a network such as the Internet.
However, if by any chance the important infrastructures are attacked, the influence thereof becomes large and extensive. Since an industrial control systems controls actuators such as valves of a plant and a pipe line, the malfunction thereof causes not only interruption of their operations, but also the excessive pressure of a boiler, human sufferings such as city-scale blackouts due to inappropriate transmission of electric energy, and environmental destruction due to unusual discharge of a dam. Accordingly, it is desirable to realize advanced security so as to protect the industrial control system from such threats mentioned above. Further, if by any chance abnormality in which the aforementioned threats are suspected occurs, it is desirable to protect an industrial device and other industrial control systems by detecting the abnormality quickly.
Incidentally, as for the virus, the unauthorized access, and the like, various types of security measures are known in the information systems. In view of this, it is considered useful to some extent to introduce a security measure applied in the information systems. As a security technique in the information systems, for example, Japanese Unexamined Patent Publication No. 2004-302538 describes a technique called A-IDS (Autonomous Intrusion Detection System) having a feature of taking a mutual monitoring configuration in which all terminals in a network (DMZ) to be protected are monitored by another terminal.
Japanese Unexamined Patent Publication No. 2006-33140 discloses a network management apparatus having such a feature that: when a source which generates an unauthorized access is detected, the number of unauthorized-packet sending terminals is counted every segment for the purpose of quickly restraining diffusion of such a source, and an interface to which a segment is connected is searched; and when the number of unauthorized-packet sending terminals is not within a range of a predetermined number, which is set beforehand, in a segment where the unauthorized-packet sending terminals belong to, the interface to which the segment where the unauthorized-packet sending terminals belong to is connected is blocked. Japanese Unexamined Patent Publication No. 2005-250802 discloses an unauthorized-access detection apparatus having such a feature that: received access data is analyzed; feature quantity data indicative of features of abnormal data is calculated; feature quantity data is inserted into feature-quantity storage data; a statistical model for separating a value area considered to be a normal access and a value area considered to be an abnormal access is formed from the feature-quantity storage data; and it is judged whether feature quantity data belongs to the value area considered to be an abnormal access in the statistical model. Japanese Unexamined Patent Publication No. 2007-96735 discloses a learning-type network security apparatus for protecting an information processing apparatus from an unauthorized break-in, which apparatus is provided between an external network and LAN, and the information processing apparatus.
Further, a security model, called a sandbox, for preventing that a system is operated in an unauthorized manner, by operating a program in a protected area. For example, Japanese Translation of PCT International Application Publication No. 2004-518193 discloses a computer system including a desktop isolation area or a sandbox for suspicious data. Japanese Translation of PCT International Application Publication No. 2008-500653 discloses a method to achieve security improvement of a processing system by performing at least one of execution and access of a suspicious file in a sandbox virtual machine.
However, the industrial control systems have a feature different from that of the information systems, and it cannot be said that the application of security techniques performed in the information systems is not sufficient. Thus, the abnormality in which the aforementioned threats are suspected cannot be detected effectively to take measures for it. Further, the industrial control systems require real-time characteristics of a device control, and therefore heavy-load monitoring and diagnosis are not appropriate.